As you indicate, Logstash has some features to join related documents in the ingest stream.

Another general approach is to land the events in the index first and then use a job to periodically (every few seconds?) update a separate "session" index with the latest recorded activities in the event index.
See: "[entity-centric indexing](https://twitter.com/elasticmark/status/1009380268409610240)".

---